[Samba] Setting uidNumber for machine accounts

Jonathon Reinhart jonathon.reinhart at gmail.com
Mon Feb 17 01:17:03 UTC 2020 

On Fri, Feb 14, 2020 at 12:44 PM Kris Lou via samba
<samba at lists.samba.org> wrote:
>
> >
> > I was aware that computer accounts were also users in AD, but I hadn't
> > considered assigning a uidNumber to them. It makes sense that winbind
> > (in idmap="ad" mode) would not "see" the accounts with a uidNumber.
> > Naturally, groups of which the computer accounts are members would
> > need gidNumber assigned as well.
>
>
> This is interesting.  I also have a similar use case in that my computer
> accounts (as SYSTEM) access a share for deployment purposes (via WPKG).
> However, I use "idmap=rid", so avoid this pitfall.  (And a good thing,
> too.  I don't know if I would've made the connection about a missing
> uidNumber.)
>
> But to maintain consistency with other idmap options (and to reduce the,
> well, "oh, I missed that"), I think it would be helpful to add to your
> utility.
>
> Note to self: read more carefully.
> https://wiki.samba.org/index.php/Idmap_config_ad#Prerequisites
>
> Kris Lou
> klou at themusiclink.net
>
>
> On Fri, Feb 14, 2020 at 12:28 AM Rowland penny via samba <
> samba at lists.samba.org> wrote:
>
> > On 14/02/2020 02:54, Jonathon Reinhart via samba wrote:
> > > Hello,
> > >
> > > A user of my "adman" utility recently opened this issue [1]: "Add
> > > support for setting uidNumber for machine account"
> > >
> > > I was aware that computer accounts were also users in AD, but I hadn't
> > > considered assigning a uidNumber to them. It makes sense that winbind
> > > (in idmap="ad" mode) would not "see" the accounts with a uidNumber.
> > > Naturally, groups of which the computer accounts are members would
> > > need gidNumber assigned as well.
> > >
> > > I understand the OP in this post [2] had the following use case: A
> > > startup script uses the computer account to access a samba server.
> > In most cases on Unix, computers do not need an ID, but there are always
> > corner cases ;-)
> > >
> > > Questions:
> > >
> > > 1. Which groups should or should not be assigned gidNumber? The issue
> > > [1] indicates that "Domain Computers" should indeed have gidNumber.
> > > However my assignment logic [3] specifically excludes "Domain
> > > Computers" based on the original recommendation from this post [4]
> > > which says "Which groups should be excluded? Just about all the groups
> > > that a provision provides, with the exception of Domain Users".
> > Well, yes, but as I said, there are always corner cases and in this case
> > 'Domain Computers' must have a gidNumber because a computers
> > PrimaryGroupID is the RID for 'Domain Computers'
> > >
> > > 2.  What other use cases are there for winbind needing to know about
> > > computer accounts?
> > No idea, but there are probably some.
> > >   Is it just Samba file servers? If so, are there other cases where the
> > > computer account is authenticating?
> > If something goes directly to ldap, then no, but if it relies on
> > winbind, then yes.
> > >   Or should a DC (with "idmap_ldb:use rfc2307 = yes") also need to see
> > > computer accounts (e.g. in wbinfo -u)?
> >
> > Now this is interesting, 'wbinfo -u' on a DC will not show computers,
> > but 'getent passwd computername$' will.
> >
> > Rowland

Thanks for the feedback, everyone.

I implemented the assignment of uidNumber for computer accounts. The
details can be found at this merge request:

https://gitlab.com/JonathonReinhart/adman/-/merge_requests/7

The other half of the change was relaxing the list of groups excluded
from gidNumber assignment. ADMan will now assign a gidNumber to
"Domain Computers", "Domain Controllers" and similar groups.

Jonathon

More information about the samba mailing list